Is Php session data secure?

Question

Let's assume some validated data gets passed from one PHP page to another using session parameters.

How can I be sure on the second php page, this session data is still the data I validated on the first php page? From what I understand the session data is stored in cookies on the users computer. So what stops the users from injecting corrupted data into that sessions cookie?

Because in my scenario I need to rely on the fact, that the data passed to the second page is already validated.

So the main question is how do I pass validated data securely from one page to another?

Many thanks in advance, Flo

Answer 1

The session data itself is stored server side. The only thing that is stored on the client's computer is a cookie with a unique identifier so the server knows which session to load at the server side.

Users cannot manipulate the data stored in the session itself, so in that sense, sessions are secure.

Then of course, the cookie itself could be stolen from a user and used by another user (a practice called 'session hijacking'). You can protect your users from this by for example locking a session to their IP-address, browser version, etc and using HTTPS to shield them from people sniffing connections.

Answer 2

Do not store session data is cookies .Store the session data on server side $_SESSION[].For example

<?php
session_start();
// VALIDATION CODE
$_SESSION['name'] = 'Validation name';
?>

now on second page check if this session is set or not. If it is set then the user is validated

<?php
session_start();
if(isset($_SESSION['name'])){
 // USER IS VALIDATED
}else{
// UNAUTHORiZED Access
}
?>

This will be server side so you need not to validate again and again. Thanks

Answer 3

Session data is stored server side only, thus the user cannot edit anything in the session, so it will be save to assume the data validated on page 1 will be the same data on page 2.

// Page1.php
// Set the session on page 1
session_start();
$_SESSION['myValue'] = 'secure_value';

// Page2.php
// Get the session on page 2
session_start();
$validValue = $_SESSION['myValue'];

Don't store any sensitive information in cookies as these are stored client side & can be altered!

Answer 4

From what I understand the session data is stored in cookies on the users computer.

It isn't.

Session data is stored on the server and associated with a particular user+browser via a cookie.

By editing the cookie the user can only:

• Access someone else's cookie (very unlikely)
• Get an new, empty session

Note that there is also a session cookie which is where data is stored on the client. This is a regular cookie with no expiry data which will be expired when the browser closes. This type of cookie is typically used to store the session id on the client.